Getting error "ACS_FAILED_PROCESS_FAILURE" and 500 in browser
Article ID: 188685
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running a Federation Services as SP (Service Provider) and when
the browser comes back to the Assertion Consumer page on our SP
(Service Provider) after having successfully authenticated at IdP
(Identity Provider), then the Federation Service returns error 500 to
the browser.
https://mysp.sp.com/affwebservices/public/saml2assertionconsumer
HTTP Status 500 - Internal Error occured while trying to process the
request. Transaction ID:
beea39ed-52f0ed02-c785bf98-7e237392-2a8392dd-f7 failed.
The Federation Service shows error :
"ACS_FAILED_PROCESS_FAILURE"
How can we fix this ?
Cause
The request ends with 500 error :
logs.saz
fiddler.saz :
Line 1 :
GET https://myidp.idp.com/sso/saml?SAMLRequest=pVHLboMwELznK5DvYDAkEAuQIkWRIqUPtVEPvUTGmMYN2MRrquTva1Ck9NJeuoc97MzOjmbz1WCP6kWcBwHWW7smFbNSqwIdre2BYiy%2BzNU6AEAH%2BmRZwHWHWd9PgDYfaRbPY3IYIWBd65BW8knjEGFxOSWmS8%2F2s9ro3dNeJpcFdkp4pCJvuy7QoWYJbzhbxiwlQrCsqpZN6IZknpE4Zsu6IgtHBRjEVoFlyhaIhCT0w8QP032Y0YTQOHlH3pswMHknQYi8S9cqKNBgFNUMJFDFOgHUcvq6ethRx6G90VZz3aJy5rnKFUR0OmS8jTYds7%2BvR0E0TWTtNxOVDgp6wWUjRX07Tp3e3wYYgDBjVqgclcYQfehzfDdyc%2FboVrfrZ%2B2yvf7TGy5nOf759%2FIb
HTTP/1.1 200 OK
Date: Tue, 07 Apr 2020 08:43:01 GMT
Server: Apache
Line 2 :
POST https://mysp.sp.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8h1sr01srwIpDYqE1CRSSHPopVp2x81WeG1510n4%2B84aMDYhtFUjcWGYnffmvZnh%2FOIlXzlPUGlZqLEbDH3XAcULIdXPsfvt%2FmqQuBeTc83yFSnpHeiyUBqcGWgjFTPNo0djSk09L1%2FrcogfXuQey7JnWGqoniQH7ZX1ciW515RhGsP2JcdSdQ6V68xnY1eKIE6DlETRKAqCyCckJn4QR2GYno0wRe3A74ux%2B0OwiGdCM6ZF9qwFS5bLNPMxSkgYslQsyRm%2B0bqGudKGKTN2iU%2F8gR8N%2FPjeT2gUUj8Yxj757joPu%2FaJbR8FUZpuOh67daVowbTUVLEcNDWcLqbXXymm0rIqTMGLlTv59HEjEW0gK%2BeqqHJmTr%2B2ESkGWZNKQRlp1j30089bGS264%2BRrKcqBFMjE61JpqZV0YZipdZPdD10WApwHtqrhNKRusumi5uipdr1JC9YpvhViuqPXMxcgSRJCIoKejphmQUDewaZ%2FEuqdjGpqdWXHyofCt2CLevkLuNm%2B2QZvsOx89kcGwTA4YFArXQKXmQSxo4FE4PNm9bYYXhekD7xlc1moTNqC1qRrMI%2BFOK0Dz%2BkSWIUL26K%2BXXHGDDu6tJylIYtxEuzO4voy3OJmcUdJZ3VvCnOrbqtpZqB6NRPJfibuUIhSgh2c%2Fz5D3qSv3ZGuJl2fu65uhcBcIW2ith18AXQMDumHHfp%2F2Wbfv2ktsGMOqK2pJG95HUnB%2BAerx3ZCu911Uo6FD4vvft932O17WptHZU8A5OiF03x9a6MJHaXDOEqx%2FQWeESw1VwJejs7H5qaP7F9COxuHYiAUkjLwYl6rsP%2FtcoWG30FmFTl5LTjlNhXDnT17Ld7Rym%2Bl9BTsa7W%2FofuT2b2ruwWa%2FAY%3D
HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Apr 2020 08:43:02 GMT
Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42
HTTP Status 500 - Internal Error occured while trying to process the
request. Transaction ID:
137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed.
affwebserv.log :
[2844/8752][Tue Apr 07 2020 12:20:59][AssertionConsumer.java][ERROR][sm-FedClient-02
890] Transaction with ID: 1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496 failed. R
eason: ACS_FAILED_PROCESS_FAILURE (, , )
FWSTrace.log :
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][authenticateUser][Passing response message through login call [CHECKP
OINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication
failed.]
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[AssertionConsumer.java][redirectLoginFailure][AuthReason=48]
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]
The Policy Server consumes successfully the assertion, but it finds 2
users with the same mail attribute, and as such, it cannot disambiguate
the user and it fails :
smtracedefault.log<SM2> :
[04/07/2020][14:21:00.067][14:21:00][3056][3544][SmMessage.cpp:557][CSmMessage::Pars
eAgentMessage][s17816/r365][][][][][][][][][][][][][][][][][][][1280942c-0033dc38-c6
85a3fc-98cec5cc-6a0824bb-496][Receive request attribute 221, data size is 48][][][][
][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][14:21:00.067][14:21:00][3056][3544][Saml2Validator.java][checkAssertion
][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496][][][][][][][][][][][][][][][][][
][][][Assertion not rejected(id179327112032433342074115472): POST binding request, s
ig processing disabled][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][
][][][][][][][]
[04/07/2020][14:21:00.067][14:21:00][3056][3544][SmAuthSaml.cpp:1478][SmAuthenticate
][][][][][][][][][][][][][][][][][][][][][Search Pattern: [email protected]][][][][][
][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsDir.cpp:66][CSmDsDir::CSmDsDir]
[][][][][][][][][][][][][][][][][][][About to initialize directory, Oid='0e-e7d7cd6d
-55w2-4ffb-9e48-19e092c03805', Name='myspstore'][][Start of call InitDir.][
][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsLdapProvider.cpp:1901][CSmDsLda
pProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][search filter is : (&
(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organiza
tion)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfU
niqueNames)(objectclass=group))([email protected]))][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][14:21:00.223][14:21:00][3056][3544][SmDsLdapProvider.cpp:2344][CSmDsLda
pProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Base: 'ou=postqa,dc=
tenants,dc=home', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOr
gPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=group
OfNames)(objectclass=groupOfUniqueNames)(objectclass=group))([email protected]))'.
Status: 2 entries.][][Ldap Search callout succeeds.][][][][][][][][][][][
][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][14:21:00.223][14:21:00][3056][3544][SmAuthSaml.cpp:2315][SmAuthenticate
][][][][][][][][][][][][][][][][][][][][][User directory : 'myspstore', ret
urned more than one user for search: '[email protected]'. Failed to disa
mbiguate user uniquely. Returning user not found status code.][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][14:21:00.223][14:21:00][3056][3544][Sm_Auth_Message.cpp:4902][CSm_Auth_
Message::SendReply][s17816/r365][samlidp:myidp][][][][samlidp:myidp][samlidp:myidp]
[myspstore][][][][][][][][][][][][][** Status: Authentication Attempt
Failed. ][][][][][][48][][samlidp:mysp-idp-partnership][][][][][][][][][06-56351236-
84b4-4ff2-82f2-0f61f9f1be6e][][][][][][][][][][][][][][][][][][][][][]
You should insure that users from the User Directory are uniques !
Environment
CA Access Gateway (SPS) 12.8SP0 on Windows 2016;
Policy Server 12.8SP1 on Windows 2016;
Resolution
- In User Directory
myspstore 10.0.0.1:10000
insure that only 1 user has attribute :
[email protected]
to solve this issue;
Feedback
Yes
No
Powered by
